iPhone works on WPA2 Enterprise, but not on WPA2 personal

We have the following:

a) Wireless Network WIFI-A with
WPA2 Personal,
a preshared key,
client traffic in separate zone,
AES,
no client isolation,
SSID visible,
U-APSD enabled,
Fast transition disabled,
no MAC filter

b) Wireless Network WIFI-B with
WPA2 Enterprise, (qith authentication from a Linux FreeRadius server)
client traffic in separate zone,
AES,
client isolation enabled,
SSID visible,
U-APSD enabled,
Fast transition disabled,
no MAC filter

As further relevant configuration there is:

Interface INT-A of type Ethernet, hardware wlan4, IP 172.16.10.1/24 (=NET-A), MTU 1500, metric 20
Interface INT-B of type Ethernet, hardware wlan4, IP 172.16.11.1/24 (=NET-A), MTU 1500, metric 20

Network services: Allow DNS from NET-A and from NET-B

Netwrok services: DHCP with range, DNS server, and default gateway suitable for NET-A and similarly for NET-B

Network protection: Allow Any from NET-A or NET-B to Internet IPv4/IPv6

--

When we connect an iPhon to WIFI-A, it can surf the internet fine. However, anything requiring the apple-id, in particular an initial configuration of a new iPhone does *not* work

When we connect the same iPhone to WIFI-B, the problem does not occur.

As far as I can tell, the only differences are about client isolation - which should not make a difference for communication iPhone to Appple; and WPA2 personal instead of WPA2 Enterprise - which I cannot imagine to make a difference.

What is wrong here?

  • Can we see pictures of the Edits of the DHCP servers?

    Does doing #1 in Rulz (last updated 2019-04-17) provide any additional information?

    Cheers - Bob

  • In reply to BAlfson:

    By popular demand:

  • In reply to hagman_01:

    As usual, all of your stuff is perfect.  I'm guessing that there's either a bug that only comes into play when client isolation is enabled or that the iPhone doesn't "like" the way the UTM achieves client isolation.  Does Sophos Support think this is a bug?

    A few minutes later...  Wait a minute.  Does the Web Filtering log show that the same Profile & Filter were selected for access via both WLANs?  What is different there with the Apple access attempts?

    Cheers - Bob